Scott C Moonen writes:
> > > > We've interpreted it as follows: 1) the old IKE SA's PRF is used to
> > > > produce SKEYSEED, but 2) the new IKE SA's PRF is used to produce
> SK_x.
> > >
> > >Hmm... when reading my code, it seems I do the same, but when I read
> > >the text I interpreted it differe
Ni, and Nr from the new
exchange, and using the new IKE SA's PRF.
Scott Moonen (smoo...@us.ibm.com)
z/OS Communications Server TCP/IP Development
http://www.linkedin.com/in/smoonen
From:
Paul Hoffman
To:
Scott C Moonen/Raleigh/i...@ibmus, Tero Kivinen
Cc:
IPsecme WG
Date:
12/10/2009 02:4
At 9:34 AM -0500 11/24/09, Scott C Moonen wrote:
>
> > > Section 2.18 also states that in the case of the old and new IKE SA
>> > selecting different PRFs, that the rekeying exchange (for SKEYSEED)
>...snip...
> > new PRF, is when new IKE SA is used to generate KEYMAT, or SKEYSEED
>> for next IKE S
Scott C Moonen writes:
> We've interpreted it as follows: 1) the old IKE SA's PRF is used to
> produce SKEYSEED, but 2) the new IKE SA's PRF is used to produce SK_x.
Hmm... when reading my code, it seems I do the same, but when I read
the text I interpreted it differently, so I think we need some
unications Server TCP/IP Development
http://www.linkedin.com/in/smoonen
From:
Tero Kivinen
To:
Paul Hoffman
Cc:
IPsecme WG
Date:
11/24/2009 08:55 AM
Subject:
[IPsec] #121: Rekeying IKE SAs: KEr errors and PRF question
Paul Hoffman writes:
> We earlier agreed in issue #
Paul Hoffman writes:
> We earlier agreed in issue #50 to make the KEr in Section 1.3.2
> (Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory:
> <-- HDR, SK {SA, Nr, KEr}
> Note that this is not in the current draft, but will be in the next one.
>
> So, wha
Paul Hoffman wrote:
> We earlier agreed in issue #50 to make the KEr in Section 1.3.2
> (Rekeying IKE SAs with the CREATE_CHILD_SA Exchange) mandatory:
> <-- HDR, SK {SA, Nr, KEr}
> Note that this is not in the current draft, but will be in the next
> one.
>
> So, wh
We earlier agreed in issue #50 to make the KEr in Section 1.3.2 (Rekeying IKE
SAs with the CREATE_CHILD_SA Exchange) mandatory:
<-- HDR, SK {SA, Nr, KEr}
Note that this is not in the current draft, but will be in the next one.
So, what happens if the responder does n
